Ask the Expert: Evolutions in Cyberlaw
Where is cyberlaw; what’s missing;
why does it matter; and where should it go from here?
A great deal of discussion revolves around cyberspace, cyberwarfare, cybercrime, cyberdefense and cybersecurity, but what about cyberlaw, a critical component of societies’ abilities to address the other components successfully? “Cyber” is a global, multitrillion- dollar industry with annual cybercrime cost estimates ranging from $250 billion to $1 trillion. Determining how to define cybertransgressions; properly and accurately identify friendly, neutral and adversarial cyber actors; and develop the laws and international conventions to handle them are serious concerns for the future of civilian and national security and defensive realms. Such determinations have to properly balance corporate, security and defensive, property and privacy interests within frameworks consistent with U.S. legal ideals.
Communications devices including the Internet clearly have military applications, but their impact on national defense is less obvious than their commercial impact. Not surprisingly, associated law primarily focuses on protecting business and markets while providing regulation and oversight over the commercial sector, instead of establishing a general framework for security, privacy, military operations and national defense.
When asking, “Where is cyberlaw?” follow the money. Since the late 19th century, cyberlaw—specifically communications and antitrust laws—has been built around commerce, access to markets and protection and licensing of cyber resources and intellectual property. Not until the mid to late 20th century did law impacting cyber offer limited focus on defense and enforcement. Corporate need has driven the majority of legal developments.
More than a century ago, the legal foundation of the cyber realm was laid in U.S. law, with sparse additional legislation coming out since then. These laws deal with emerging technologies and communications in two distinct areas: 1) commerce, trade and regulation; and 2) law enforcement and security.
Cyberlaw is a lagging indicator of society’s requirements. The rather narrow commerce and security approach has changed little since the early 20th century. In fact, the security offered in law is primarily found in the Foreign Intelligence Surveillance Act of 1978 and the Defense Department Appropriations Act of 1987, outlining authorities for the National Security Agency and the U.S. Strategic Command. Legal notions of cyberdefense are found in the Federal Information Security Management Act of 2002, which outlines information assurance and acquisitions requirements for information technology.
So what’s missing?
Cyberlaw policy makers should consider a framework that transparently balances commercial interests, national security interests, personal privacy, globalization, effective defense, allowable offense and internationally acceptable norms. Particular emphasis should focus on ensuring access to the global information commons—the Internet’s capability to allow rapid exchange of information, ideas, commerce and collaboration—essential to developmental and commercial activities in a globalized world.
The military aspects of cyberspace activities should be clearly addressed in law and international convention. There are no Fourth Geneva or Hague Conventions or Geneva Protocols addressing military activities in cyberspace beyond the proposals in the Tallinn Manual, but similar principles should apply. Current U.S. policy allows for the full range of military options in the event of a cyber attack. But cyber attack lacks a legal or internationally accepted definition.
Commercial concerns about cyberspace are similarly distressing. Identity theft, corporate espionage and intellectual property theft are a few highly profitable cybercrime areas of operation. There is no legal framework for consistent attribution of cyber events, yet attribution is essential to what would be a criminal, diplomatic or military response. Definitions matter and the debate must include military, commercial, privacy and international concerns. Presently the debates are too segmented to achieve a holistic approach.
The debates must include military and civilian cyberprofessionals, military and industry leaders, academics, diplomats and legislators who develop and routinely review the core definitions surrounding the vast panoply of cyberspace activities. What is cyberwar or cyber attack? Is a domestic cyber event that cripples critical infrastructure a criminal, terrorist or cyber scenario? What are domestic and internationally accepted norms for response? What is an acceptable corporate response for active defense and protection of its intellectual property?
Legislation will not solve our problems, but it must start addressing them. Commercial interests are critical. Military application is frightening. U.S. law must consider the impacts of unanticipated international repercussions and long-term impacts with periodic review. We cannot continue to rely on outdated legal concepts.
Lt. Col. Carl Allard Young, USA, is a signal and information systems management officer, currently assigned as joint planner in the Joint Staff J-5 in the Joint Operational Warplans Division and the J-5 lead for technological requirements and coordination for information technology-related aspects of Adaptive and Deliberate Planning. He serves on the AFCEA Professional Development Committee.
The views expressed in this article are those of the author and do not reflect the official policy or position of the U.S. Defense Department or the U.S. government.